Busy help desks are the social engineer's playground. They take full advantage of the chaos rampant on help desks just trying to keep up with the high volume of calls routinely besieging them. They barely have time to reset passwords, let alone verify the caller's identity.
The three rules for defeating social engineers are verify, verify and verify. Even if you can only contact the user by phone, there are simple ways to separate legitimate employee requests from those of attackers and con men from outside the company or less than scrupulous employees who are up to no good.
First, every help desk staffer should have an employee directory readily available. The directory should have other information about the employee, besides just their phone number and e-mail address. It should also have information about their department, their manager's name, their title and location or cube number, for example. Check if the employee is listed. If not, red flags should go up immediately. Even if listed, ask a few random questions from the information about the employee in the directory. The important thing is to keep the questions random and unpredictable. You should report any slip-ups or obvious irregularities to your information security department's incident response team for follow up. Provide them with whatever additional information the help desk staffer has to track down the offender.
There are two other ways for the help desk to protect themselves after password resets. Send an e-mail to the employee immediately after completing the password reset. If someone other than the employee maliciously changed the password in the employee's name, the real employee will probably call the help desk right after getting the e-mail. The real employee will likely sound concerned or ask questions about the supposed "mix up." Another way is to follow up after the reset with a call to the employee's boss. The supervisor can then verify with the employee in person.
Also, keep a readily available log of all password resets. Educate your help desk staff to check the log and always look out for:
- Suspicious patterns
- Repeated resets by the same individual, or groups either in the same or related departments
- Requests at odd times or from unusual locations
This was first published in November 2005